Wednesday, April 6, 2016

Sniff traffic in a remote node

Sniffing traffic in an interface is an excellent tool for a network manager. Linux based routers like openWRT or Linux servers can use tools like tcpdump or wireshark to capture the traffic in their interfaces. Mikrotik has its own tool too, “/tool/sniffer”. The problems start when you need to capture the traffic in a device that doesn't have a facility for this purpose, and it grows when the device is placed in a remote node.

Fortunately, there is a solution for each problem. In this post I will explain how to capture traffic in any interface of any device placed in any remote node of your network and how to send this capture to your computer in real time for viewing it with a graphical application like Wireshark. All you need is a little device with RouterOS and two network interfaces connected in the switch of the remote node.

See the scheme below to illustrate the example.


In the picture we can see a server. We want to sniff the interface of this server. We can see a Mikrotik router too. The router has two interfaces connected to the switch; one of them will be used for managing the device and the other one will be the sniffer interface.

Ok. Let's do magic:
The first thing you must do is to configure a mirror port in the switch. A mirror port will send all packet received in a source interface to a destination interface. Obviously we want to configure the port connected to the server as source port of the mirror and the port connected to the sniffer router (Mikrotik router) as destination interface.

The way to configure a couple of ports as mirror ports can differ between manufacturers. In a RouterOS switch the command is:


/interface ethernet switch
  set switch1 mirror-source=ether3-slave-local mirror-target=ether4-slave-local

In a Cisco IOS the command is:

monitor session 1 source interface gigabitEthernet 1/1 both
monitor session 1 destination interface gigabitEthernet 1/2

With this first step the RouterOS router see all the server´s traffic. Now we need to send this traffic to our computer. RouterOS has a useful tool (/tool/sniffer) that can do it. This is the configuration:

/tool sniffer
  set filter-interface=ether4-slave-local streaming-enabled=yes streaming-server=192.168.2.5

Ok. Now all the traffic of the server is sent to our computer, but RouerOS sends the traffic using TZSP protocol, so you must configure a Wireshark filter for viewing only this type of packet.
Here is an example:


Now you can filter the packets of the server you want to view:


Note that the traffic sended to our computer comes from the IP 192.168.0.1 (the sniffer router), but the source shown in Wireshark is 192.168.150.226 (the Server). You must to see the packet encapsulated in the TZSP header.

No comments:

Post a Comment